Basel II, Sarbanes-Oxley, and increased regulatory scrutiny are the catalysts for a renewed emphasis on risk assessment and internal control. The regulatory environment has triggered significant efforts to identify, document and assess key operational, financial, and compliance risks, as well as primary control activities that mitigate these risks. However, the risk management exercise of identifying risks and documenting controls will have little impact on the flow of losses and violations or the reduction of risk exposure without active control management, which is more than just the providing of documentation. A desired objective of an effective risk management program is to have a more meaningful contribution to business results.
All organizations function through processes. If a risk management program is not process focused, the risk manager will lack visibility to segments of business risk, points of vulnerability in the process life cycle, and primary controls necessary to effectively mitigate the exposure points within the entire business process.
Everything the business does is executed through a process (e.g., new accounts origination, business continuity management, and payment posting). Although the process steps may vary from company to company, the underlying business processes themselves are generally uniform in nature within the same industry. There is a natural intersection between a process and risk. Risks exist because of the processes a business performs. A risk exposure occurs when the business executes a process with the inherent risk.